Electrical/Communication/Signal Isolations

Evaluation of the potential hazards of direct and consequential injury from electric shock in the subsea environment can be more complicated than on land, therefore additional care needs to be taken to ensure correct electrical protection.

For this reason, a minimum of two independent and tested isolations should be established for diving personnel engaged in any subsea task where the presence of a potential hazard from electrical energy at potentially hazardous levels⁵ exists. At least one of these isolations (i.e. the preliminary isolation) should be located on the topside installation. The final local isolation should therefore be set in the subsea domain (where by design it is possible to do so).

This latter (local isolation) provides an increased level of safety and confidence for diving personnel since it is often not possible to conduct reliable electrical safety checks at the subsea worksite, in the conventional manner.

Note: The isolation principles set out above may only be waived when it is possible to set local isolations subsea, by disconnection of inductive couplers (see section 5.1.2.1.2).

5 Note: With regard to the term ‘… potentially hazardous levels…’ (above), the definition of the maximum safety levels – below which, divers may work without potential hazard – is based upon the two key parameters of safe body current and time duration for the actual shock experienced. This is explained in more detail in IMCA D 045/R 015 – see section 8.1.

In relation to the key electrical-shock parameters (safe body current and time duration), the associated safe values have been derived for shocks of potentially unlimited duration. These are given below:

Maximum safe body current for potentially unlimited duration assuming no ‘active’ fail safe method of protection against electric shock exists in the circuit is:

 for alternating current (AC at 50-60 Hz) = 10 mA;

 for direct current (DC) = 40 mA (Ref. IMCA D 045/R 015 – see section 8.1)

Note: The safe voltage limits may be obtained by utilising Ohms Law (V = I x R).

Thus, multiply applicable safe body current (I) limit value (from above) by the recommended value for divers’ body resistance at low voltages R, i.e. R = 750 ohms to give ‘safe’ voltages of up to 30V DC or 7.5V AC.

The safe alternating current (AC) limit given above is at such a low level as to determine that preliminary topside isolation(s) should be set in place before diver intervention work can commence on virtually all AC circuits in a subsea system (with the exception of isolations utilising inductive-couplers).

The safe direct current (DC) limit (given above) should be considered as being applicable to either low-power subsea instrumentation or subsea communication circuits only (i.e. not main DC high-power supply circuits). Whilst these defined limits may be interpreted as being not hazardous, thus permitting diver work to take place whilst low-voltage circuits remain live (i.e. with no isolations in place), this practice is should be carefully considered at the time of the risk assessment. There may in fact be technical reasons dictating that preliminary isolations need to be applied, even for such ‘safe’ voltages (see 5.1.2.1.2.1, 5.1.2.1.2.2, , 5.2.2.1, and 5.2.2.3.2).

Higher levels of AC or DC voltage may be considered ‘safe’ for divers for certain power circuits if protected by a reliable and proven means of fail-safe protection (e.g. RCD operating within a few milliseconds). In such instances, however, a detailed risk assessment review on a case-by-case basis (taking into consideration the operating principles of the applicable circuit protection and the conducted power levels) should be carried out. This approach introduces a dependency on automatic electrical circuit-breaking equipment, some of which is not fail-safe, hence this method may not be an appropriate form of planned isolation.

5.1.2.1 Applying Electrical/Communication/Signal Isolations

The common fundamental principle for topside and subsea electrical isolations within these guidelines is that the physical disconnection should be both adequate and secure.

The topside isolation(s) need to be installed by competent and authorised personnel only.

The subsea isolation should be, of necessity, installed by ‘non-electrically authorised’

personnel (i.e. divers). They are, however, ‘approved’ to implement such isolation as they operate strictly under the control and instruction of their supervisory personnel, who are directly responsible for diver safety by working to company-approved project procedures, at all times.

In witnessing the application of these isolations, project engineering personnel should be aware, in general terms, of certain criteria relating to the topside and subsea components of the subsea control system as detailed below (dual redundancy) and in the following sections 5.1.2.1.1 and 5.1.2.1.2.

Dual redundancy – As subsea control systems are generally installed in multiple-well applications then the electrical power/communication system is invariably configured in a dual-redundant (‘A’/’B’) circuit arrangement (to ensure production up-time optimisation in the event of circuit failure). Such dual-redundancy may be used to

advantage, by avoiding the electrical isolation of the complete electrical/

communication system, when required to remove/replace a critical electrical component (e.g. SCM). Thus, for example, by applying a preliminary topside isolation to only the ‘A’ circuit (but continuing to maintain electrical power/communication through the ‘B’ circuit), it is possible to disconnect appropriate ‘A’ supply jumpers at the subsea worksite without loss of electrical power/communication to the remainder of the field. Further to the fitting of proprietary caps to the relevant subsea connector(s) it is then normally acceptable and safe for topsides to re-instate the ‘A’ circuit supplies. The procedure is then repeated for the ‘B’ system. On completion of this independent twin-isolation procedure, the subsea worksite is safely isolated locally, whilst the operation of any associated subsea field and infrastructure remains fully operational.

5.1.2.1.1 Applying Topside Isolations 5.1.2.1.1.1 Electrical Power Unit (EPU)

For adequate electrical power supply isolation, the disconnecting devices within the EPU should have an isolating gap sufficient for the voltage levels present or likely to occur.

Switches used for disconnection should be secure such that they can be locked in the ‘off’ position using a multi-key ‘safety’ lock device (e.g. a lock-out hasp secured by individual-user padlocks). All keys should be withdrawn to a central location of authority, to be kept under the control of a signed isolation certificate, as set out in the company permit to work system.

If a fuse is removed as part of the isolation, precautions should be applied to ensure that it, or a similar device, cannot be re-inserted. The aperture should be locked-off or the fuse removed from the worksite.

5.1.2.1.1.2 Topside Umbilical Termination Unit (TUTU) Junction Box

Although not a recommended method of isolation, it is possible (dependant on the applicable hazardous area zone classification) for low-power terminal connections located within the TUTU electrical junction box to be separated (e.g. a ‘knife-edge’ connector set to open position, or cables removed from terminals). For this method of isolation, precautions should be applied to ensure that any exposed connections are securely separated and isolated within the junction box(es). The TUTU should be locked such that it is not possible for the electrical supply to be inadvertently reconnected whilst work is taking place on the subsea equipment.

Note: High-voltage supply circuits to the umbilical power cores should not be simply disconnected for isolation in the above manner. A more safe and secure form of topside preliminary isolation (incorporating a physical separation) should be obtained at a higher level in the electrical distribution system.

5.1.2.1.1.3 Master Control Station (MCS)

Very low-voltage communication signals are transmitted and received to/from subsea by the MCS modem(s). Such signal links may be safely disabled (if required), for the purpose of setting isolations, by switching off at the circuit-breaker local to the modem sub-unit within the MCS.

Alternatively, the isolation may be applied at the appropriate terminal rail connection point within either the MCS cabinet, or the TUTU panel in the manner defined in 5.1.2.1.1.2 above.

5.1.2.1.1.4 Remote-Set Isolations (via MCS)

Generally, a selection of components within the subsea control system electrical architecture (e.g. power supply units in EPU, pump motors in HPU, solenoid valves in HPU, solenoid valves in SCM), can be operationally

‘disabled’/ ’inhibited’/set ‘off-scan’, by remotely setting software ‘isolations’

from the topside MCS. If no other method of preliminary isolation is possible then this technique may be considered at the risk assessment phase for the application of preliminary isolations, but is not recommended for providing final subsea isolations. This is on account of the potential for software malfunctions (MCS is not SIL rated) and/or operator error.

Additionally, software-generated ‘switch-type’ isolations are not recommended as a means of setting a final form of subsea isolation as they do not provide a tangible (circuit) disconnection which may be physically witnessed/confirmed by diver. For example, it is not possible to carry out any local testing to determine whether an electrical supply circuit is dead at, or within, an SCM prior to the actual intervention.

In particular, the setting of preliminary isolations for high-power electrical circuits to subsea components (e.g. SCM power-supply, subsea pump power-supply, etc.) should not be provided through MCS software. Instead, a more safe and secure form of preliminary isolation (incorporating a physical separation) should be obtained at a high level in the topside electrical distribution system.

Any dependence upon software for the remote setting (via MCS) of electrical/ communication/signal isolations requires that the specific combination of isolation management controls given in i) to iii) below, should be applied:

i) It is an essential requirement that the system hardware being disabled/

inhibited is able to positively report (back to the MCS) in real time that the expected change of operational status takes place when the software ‘isolation’ is applied. Bulk system hardware operational checks should also be conducted to the subsea worksite to further confirm the security of the preliminary isolation. (The setting of a final isolation locally at the subsea worksite should be implemented immediately thereafter  by physical disconnection of the communication, or instrumentation, electrical supply);

Note: This process accounts for any possible software malfunctions which may subsequently occur within the MCS, or any inter-linked system(s) – such as DCS, or ESD. In this regard, both the status of the MCS and the continued validity of software ‘isolations’ should be monitored for any unpredicted condition change, immediately prior to the commencement of control system reinstatement activities at the subsea worksite.

and

ii) For reasons of management responsibility and approval, any such isolation being set via the MCS should only be conducted by authorised personnel at a higher level of supervision than the normal operational level;

Note: Password and isolations: The utilisation of either a generic or personal log-on/password combination, as the authorised means of applying an isolation should not be accepted as the sole method whereby a software isolation, remotely set via the MCS, is considered to remain securely in place throughout the work.

and

iii) Following the setting of any such software ‘isolations’, access to MCS keyboard(s)/screen(s)/panel(s) should be restricted by physical locking⁶. Key(s) should be withdrawn to a central location of authority, to be kept under the control of a signed isolation certificate, as set out in the company permit to work system. This provides an increased level of isolation-security by preventing any inadvertent, or unauthorised, removal of software ‘isolation(s)’, throughout the subsea work.

Note: MCS isolations for subsea instrumentation. The specific isolation management control measures outlined in i) to iii) above do not necessarily apply to interventions associated with subsea instrumentation devices. This is on account of the relatively low power levels involved – typically, 4-20mA at +24 Volts DC – (see sections 5.1.2 and 5.2.2.1). These are not considered to be potentially hazardous levels of electrical energy for diver intervention work, therefore preliminary instrument isolations (‘inhibits’) may be remotely set (if required) via the MCS without the requirement for device-reporting, or the limiting of personnel access to the MCS.

For various technical reasons, however, care should be taken at the MCS to ensure that an isolated subsea instrumentation circuit is not inadvertently re-energised whilst still disconnected/open-circuit at the SCM (see sections 5.1.2.1.2.2 and 5.2.2.3.2).

Note: The various isolation techniques denoted above will prevent the equipment to be worked on from becoming charged (powered) by connection to its own or normal supply. Depending on the inter-connecting cable type and service, however, these alone may not be sufficient to prevent residual electrical charge remaining within the component.

The possible presence of potentially harmful levels of electrical energy, either existing, or accumulating, as a result of latent charge (for example in the dielectric of high-voltage power supply cables to subsea) should therefore be considered, through a risk assessment process.

Where applicable, it is recommended that topside earthing connections are attached to the conductors of the cable system which has been set ‘open-circuit’ as part of the isolation scheme for low and medium voltage levels.

This earthing should be applied at least 60 minutes before the subsea work commences. For high and ultra-high voltages it is recommended that an extended discharge period is determined. This topside connection should remain in place for the duration of the work.

5.1.2.1.2 Applying Subsea Isolations 5.1.2.1.2.1 Inductive Couplers

It is uniquely possible, due to the specific design and properties of the wet-mateable inductive coupler, that local subsea isolations (and re-connections) may be performed whilst the electrical power/signal supply system remains live.

The inductive coupling is effectively a transformer assembly which has been divided in two parts, one half being permanently mounted into the bulk item

6 Note: In the absence of any physical locking facility, such that restricted access to the MCS operator-interfaces cannot be implemented, an alternative method of ensuring the security of the preliminary isolation should be obtained. For example, this may be achieved by:

routing MCS control to an ‘engineers workstation’ located in a securely lockable 19” rack panel; or physical isolation of communications between the MCS and the SCM. Such alternatives, being tangible isolations, provide confidence to diving personnel that local and final physical isolation(s) can be safely implemented.

of subsea hardware, whilst the other half is ‘free’ and connected to the output cable assembly in a fully potted housing. Electrical energy can only be transmitted (by completion of the electric field) when both halves of the transformer circuit in the couplers are brought close together in a specific face-to-face orientation. The external mating faces of the couplers are coated with an insulating varnish hence it should not be possible for diver or seawater to make contact with any metallic parts associated with the enclosed electric circuits.

There does, however, remain the possible hazard of the coupler or its cables being damaged. Such deterioration will often be able to be checked using a line insulation monitor or similar device. If damage or malfunction is suspected then primary isolation should be carried out in the normal manner.

The inductive coupler is therefore uniquely considered to be safe and valid for the purposes of applying both preliminary and final isolations by the diver, at the subsea worksite location. The action of disconnecting the coupler thus equates to the two fundamental requirements of an isolation:

i) Provide an isolating gap sufficient for the voltage levels present, or likely; and

ii) Physical isolation is secure⁷ such that re-connection can not be made inadvertently.

5.1.2.1.2.2 Conductive Connectors

Whilst many designs of conductive (pin-to-pin) wet-mateable connectors are intended to be capable of being disconnected live, this is also not considered to be entirely safe or good economic practice. Utilising the conductive wet-mateable connector to provide a preliminary electrical isolation, at the subsea location, is therefore also not recommended.

Reasons in support of this are as follows:

 Connector internal self-isolating mechanism may be, or become, faulty, without diving personnel being aware of this condition;

 Gender identification terminology for connectors is not straightforward. For example, documented information may identify a removable connector-half as being ‘female’ thus expected to be furnished with ‘safe’ sockets. Caution is required as the connector may, in fact, contain protruding pins within a ‘socket’ body. It is therefore possible that diving personnel could be exposed to the hazard of live pin contacts at the end of a connector/cable system, whilst carrying out a disconnection operation;

 Several varying designs of pin-to-pin connectors exist, each with differing (or no) internal isolation mechanism. This may lead to possible confusion in accuracy of supplier information, especially for connectors which have been installed for some considerable time;

 Connectors with pin contacts which (inadvertently) remain live when exposed to seawater will be likely to incur permanent damage to the high-conductive coating on the pins in a period of very short duration for certain types. This may only be several hours;

 Total recommended number of live disconnections throughout life of connector is a finite value. Improved up-time reliability is therefore

7 By working to appropriate disconnection/re-connection procedures.

achieved by preceding any disconnections with suitable isolations at a higher level in the subsea control system.

Note: The above applies to wet-mateable cable connections for both the high-power input (supply) and the low-power output (communication or instrumentation) circuits of the subsea electrical architecture.

Though not recommended as a preliminary isolation, the disconnection of a wet-mateable connector/jumper assembly is, however, appropriate as a final local isolation since the preliminary isolation⁸ will already be in place and thus the wet-mateable connector should not be energised.

An additional benefit of applying a final local isolation, specific to the duration of the actual intervention work, is that any associated requirement to perform a main circuit power-down (with resultant implications for other systems components) may be kept to a minimum.

The action of disconnecting the subsea connector, to provide the final isolation, thus equates to the two fundamental requirements of an electrical isolation, i.e.:

 Provide an isolating gap sufficient for the voltage levels present, or likely;

 Physical isolation is secure such that re-connection can not be made inadvertently.

5.1.2.1.3 Subsea Isolator Switch

The subsea isolator is designed to either totally disconnect electrical power which is being supplied through an umbilical to items of subsea equipment, or, it may contain several contactors such that it is capable of routing power from one end-user to another (or several others). Control and setting of the isolator/diverter switch should only be capable of being performed remotely, by the topside installation.

In the simplest form of subsea switch design, it is unlikely to be able to discern (or test) the condition or status of internal contactors. It will not, therefore, be possible to demonstrate that an isolating gap sufficient for the voltage levels present (or likely) exists, nor that the physical isolation is secure such that it can not be re-connected inadvertently. In principle, this method of subsea electrical disconnection is therefore not considered suitable for intervention work involving divers, hence is not recommended for either preliminary or final isolation duties.

More advanced isolator/diverter designs, however, which are designed to provide subsea status-reporting may be appropriate as a final form of isolation, provided the following two key facilities exist:

i) Monitoring instrumentation within the subsea isolator/diverter provides

i) Monitoring instrumentation within the subsea isolator/diverter provides